Edge, IE can find themselves running unexpected code if cooked by a malicious site

First turned up on November 25, the bug offers evildoers a technique that would let a malicious web site crash a visitor's browser as the main course, with code execution as the dessert.

Detailed here, the bug works by attacking a type confusion in HandleColumnBreak
OnColumnSpanningElement.

A 17-line proof-of-concept crashes that process, with a focus on two variables rcx and rax.

“An attacker can affect rax by modifying table properties such as border-spacing and the width of the first th element,” Project Zero's post states – so the crafted Web page just needs to point rax to memory they control.

The issue was published at the end of Project Zero's 90-day disclosure deadline, and it remains unpatched.

Earlier this month, Redmond delayed February's Patch Tuesday, but last week it managed to emit a bunch of fixes for Adobe Flash. ®